Permission and Authorization Bugs
// 5 bugs
Bugs where users can access, edit, delete, or view resources they shouldn't be allowed to.
// Why it matters
Permission bugs are among the most serious in any product. A user reading another user's data by changing an ID in the URL, a viewer performing editor actions through the API, or a direct URL bypassing an access check can expose sensitive information and trigger compliance or legal issues.
// Common symptoms
- User accesses another user's record by editing the ID in the URL
- API endpoint returns data belonging to a different user
- Hidden UI button still works when called directly via API
- Role change does not take effect until the user logs out and back in
- Removed team member can still access the workspace
- Admin-only page loads for a standard user if they know the URL
// Bugs in this category
Showing 5 of 5 bugs
When an application looks up a resource by ID without verifying the requesting user owns or is permitted to access that specific record, any authenticated user can read, modify, or delete another user's data by supplying the other user's resource ID. This is an Insecure Direct Object Reference (IDOR) vulnerability.
When a button or action is hidden from lower-privileged users in the UI, but the underlying API endpoint does not enforce the same permission server-side, the restricted action can be executed by any authenticated user who calls the API directly. Authorization is only enforced at the presentation layer, not on the server.
Any authenticated user can promote their own account to admin by including a 'role' field in the body of a PATCH /api/users/me request. The endpoint deserialises the entire request body onto the user record without an allowlist, so the role field is treated as a normal updatable field rather than a protected one.
After an administrator deletes or disables a user account, that user's existing bearer token continues to authenticate successfully and passes authorisation checks on protected endpoints. The authentication middleware verifies only the token's signature and expiry β it never queries the database to confirm the account still exists and is active.
An admin-only page is hidden from the navigation for normal users, but the route itself has no server-side authorization. A non-admin who navigates directly to the admin URL can load the page and, often, perform admin actions β because access control was applied to the menu, not the route or its APIs.
// Explore other categories
Authentication Bugs
Bugs in login, logout, password reset, session management, tokens, and multi-factor flows.
API Bugs
Bugs in HTTP status codes, request validation, response schemas, error messages, and API contracts.
UI and Frontend Bugs
Bugs affecting layout, forms, responsiveness, error messages, and how the interface behaves across browsers and screen sizes.
Data Bugs
Bugs involving incorrect, duplicated, stale, missing, or inconsistent data across the application.
Payment Bugs
Bugs in checkout flows, payment retries, webhooks, refunds, subscriptions, and invoices.
Time and Date Bugs
Bugs caused by timezone mismatches, daylight saving transitions, date range errors, and locale differences.
Search and Filter Bugs
Bugs in search results, filters, pagination, sorting, and result counts.
File Upload Bugs
Bugs in file type validation, size limits, upload progress, storage, and file preview.
Notification Bugs
Bugs in email delivery, push notifications, in-app alerts, webhooks, and notification preferences.
// Practise finding these bugs
Hunt permission and authorization bugs hands-on in a live practice app, then check your findings against the seeded-bug answer guide.